Purpose of NIST SP 800-82 Rev 2
The U.S. National Institute of Standards and Technology (NIST) Special Publication (SP) 800-82 Revision 2, Guide to Industrial Control Systems (ICS) Security, presents guidelines for Federal Agencies that own and operate ICS. The publication gives an overview of ICS and typical implementation architectures, including potential risks and vulnerabilities to these systems. It also provides best practices on the security countermeasures required to mitigate the risks.
Since its release in 2015, this publication has been widely adopted and extensively referenced in the private sector’s industrial automation and control systems community. It is written for cybersecurity, IT, and plant operations professionals.
The NIST SP 800-82 rev 2 includes recommendations from the ISA/IEC 62443 industry standards. Industrial Automation and Control Systems (IACS) defined in ISA/IEC 62443 are referenced as Industrial Control Systems (ICS) in this publication.
An overview of ICS systems
The ICS systems include Supervisory Control and Data Acquisition (SCADA) systems, Distributed Control Systems (DCS), and Programmable Logic Controllers (PLC).
- SCADA systems manage distributed assets across large geographic areas to collect data, monitor and control automation systems. They may manage multiple DCS systems.
- DCS monitor and control multiple automation systems within a single plant in near real-time. They may manage several or all plant PLCs.
- PLCs are used to read inputs from sensors, receive instructions from DCS, and send signals to change the physical actuators’ movement. They are the boundary between the cyber-world and the real physical world.
ICS are used extensively in virtually every industrial sector and critical infrastructure such as electric, water, oil and gas, transportation, chemical, pharmaceutical, and essential manufacturing like automotive and aerospace. These control systems are often complicated and highly interconnected and interdependent.
Cyber risks to ICS systems
Traditionally, ICS had little to do with IT systems. They were siloed systems that ran proprietary control protocols and utilized specialized hardware and software. They were protected by physical security controls and were not connected to untrusted networks, including the corporate IT network. The availability of low-cost Internet Protocol (IP) capable devices has changed this. Proprietary solutions have been steadily replaced over the past two decades with IP capable networked devices. This gradual evolution towards Industry 4.0 has unlocked many benefits, such as enabling remote management and enhancing operational productivity. However, it has exposed the critical operating systems to a new dimension of cybersecurity threats and vulnerabilities.
There is a greater need to secure these systems. Well-established practices and solutions to secure IT systems may seem logical to apply for IP-capable ICS devices. However, special precautions must be taken to tailor the solutions to the unique characteristics of ICS environments.
ICS have a direct effect on the real physical world. They are built for real-time response, high availability and reliability. Unplanned changes or interference can lead to operational, financial, health, safety, and environmental impacts. Cybersecurity precautions must be taken without negatively impacting the performance and reliability requirements.
According to NIST SP 800-82 r2, potential cyber events include the following:
- Interruption of critical data flow could prevent the safe and reliable operation of ICS devices.
- Unauthorized modification to ICS devices could disable, interrupt, or impair hazardous processes and endanger the environment or human life.
- Unreliable information or alert sent to system operators could trigger incorrect operator actions and create adverse outcomes
- Malware infection, modification, or otherwise compromise of ICS software or configuration settings could cause several negative consequences
- Interference in the equipment protection system’s operation could cause catastrophic failure of major plant equipment (including heat exchanges, piping, pumps, compressors, and electrical systems).
- Interference in the operation of safety systems could expose people to dangerous conditions.
Objectives of ICS cybersecurity programs
Cybersecurity is essential to the safety and reliability of modern, cyber-enabled industrial processes. NIST recommends Industrial plant ICS cybersecurity programs should be integrated with enterprise-wide ICS safety and reliability programs to meet the following cybersecurity objectives:
- Restrict logical access to the ICS network and network activity
- Restrict physical access to the ICS network and devices
- Protect individual ICS components from exploitation
- Restrict unauthorized modification of data
- Detect security events and incidents
- Maintain functionality during adverse conditions
- Restore the system after an incident
Multidisciplinary approach to ICS cybersecurity
To achieve the objectives of an ICS cybersecurity program, a multidisciplinary cybersecurity team needs to be in place. The cross-functional team should assess and mitigate cyber risks to the ICS and suggest countermeasures that balance operational safety and reliability with security.
NIST suggests that the cybersecurity team should comprise IT staff, control engineer, control system operator, network and system security expert, a member of the management staff, and a member of the physical security department. In addition, the team should consult with the system vendor and the system integrator. Finally, the team should coordinate closely with site management and the organization’s CIO or CSO, who assumes the long-term responsibility for every incident affecting plant operation.
An effective ICS cybersecurity program should be based on a “defense-in-depth” strategy, implementing various security layers to minimize the impact of any layer being compromised. In ICS environments, a “defense-in-depth” strategy should include the following:
- Develop ICS specific security policies, procedures, and training programs.
- Security policies and procedures should be based on updated threat intelligence and increased security posture when the threat level increases.
- Security should be addressed throughout the ICS lifecycle, from initial design to installation, maintenance, and decommissioning.
- ICS network topology should consist of multiple layers, with the inner and most secure layer protecting the most critical systems and communications.
- Implement a logical segmentation between the corporate and ICS networks.
- Employ a DMZ architecture to prevent direct communication between the corporate and ICS networks.
- Ensure redundancy of critical systems.
- Design fault-tolerant critical systems to prevent catastrophic cascading events.
- Disable unused ports and services on ICS devices.
- Restrict physical access to ICS networks and devices.
- Implement a least privilege policy for accessing ICS systems.
- Implement an adaptive, contextual authentication mechanism with step-up risk-based policies.
- Adopt intrusion detection, antivirus, and file integrity checking security controls to prevent, deter, detect, and mitigate the introduction, exposure, and propagation of malicious software.
- Apply strong encryption and hashing solutions to protect data at rest and in transit.
- Patch ICS systems after testing all patches under field conditions on a test system.
- Implement a continuous monitoring solution to track and audit all critical systems and components.
- Employ reliable and secure network protocols and services where feasible.
Selecting security controls
Securing an ICS should be based on a combination of policies and a selection of appropriate security controls. Selecting and implementing security controls on the ICS ecosystem must be thoroughly considered because of the implications these controls might have on operations’ safety and reliability.
The selection of the security controls to implement a defense-in-depth strategy should consider factors such as:
- Adequate mitigation of cybersecurity risks without disrupting operational mission and business functions.
- Lessons learned from previous implementations of the controls.
- Level of assurance that the selected security controls will produce the desired outcome.
The selection of the appropriate security controls should begin with the minimum requirements outlined in FIPS 200, Minimum Security Requirements for Federal Information and Information Systems. These baseline controls must be augmented with ICS specific security controls and control enhancements specified in NIST SP 800-53 Revision 5, Security and Privacy Controls for Information Systems and Organizations. This publication should be read in conjunction with NIST SP 800-53B (currently in draft version), which provides security and privacy control baselines for low-, medium- and high-impact systems and tailoring guidelines to help the control selection process.
How ORIGNIX helps
ORIGNIX delivers bespoke cybersecurity engineering services for inherently safer design and operation of industrial processes. We utilize systematic cyber and operational risk assessment using well-established techniques and templates and follow industry-recognized cybersecurity, control system, and process safety standards. Our cyber Process Risk Assessment (cyberPRA) methodology identifies potential gaps, hazards, vulnerabilities, independent protection layers associated with engineered industrial processes at plant facilities. The identified cyber risks are prioritized based on realistic cost-benefit analysis.
To learn how our customers benefit, visit our website.
Authors note: This blog was co-authored between Saif Shariff and Anastasios Arampatzis